The European Union (EU) will soon launch a new regulation that will require banks and firms in the global financial industry to mature their third-party risk management programs to include set cybersecurity requirements – which will also apply to the critical Information and Communication Technology (ICT) service providers they are working with.
The timeframe for meeting compliance standards will be relatively short despite the complexity expected with the new cybersecurity compliance framework. Understanding the Digital Operational Resilience Act (DORA), as well as acknowledging DORA’s roadmap and timeline, is important for all eligible firms so that CIOs, CISOs, and compliance managers can start planning immediately.
Although the financial resilience of organizations has recovered across the EU since 2008, ICT risk has been addressed differently by the various member states' financial supervisors. This has caused an inconsistent approach resulting in a proliferation of individual national regulatory initiatives.
In February 2020, the European Systemic Risk Board (ESRB) expressed deep concerns about the need to consolidate third-party risk management requirements in financial entities across Europe. This recommendation was sent out following a report published on cyber incidents, which identified cyber risk as being one of the sources of systemic risk to the financial system that could have serious negative consequences.
The report recognized one single event could trigger a systemic crisis threatening financial stability. As stated in a Cybersecurity Ventures report, global cybercrime costs are expected to grow by 15% per year over the next five years — reaching $10.5 trillion USD annually by 2025. Furthermore, we have been seeing an increase in the number and severity of cyber threats associated with ICT risks such as phishing, identity theft, and ransomware, which is further highlighted by vendor concentration that promotes the spread and effectiveness of cyber threats.
DORA will specifically focus on 20 types of regulated EU financial entities. These include not only banks, credit, payment, and electronic money institutions, but also investment firms, crypto-asset service providers and many other entities working as security depositories, central counter-parties, trading venues, trade repositories, alternative investment funds and management, data reporting, insurance and reinsurance, occupational retirement pensions, credit rating, statutory auditing, or crowdfunding, among others.
Both large and small financial firms and ICT vendors will be included within DORA’s guidelines, and while some firms will face less complex guidance from the legislation, others are sure to find it more burdensome than the current requirements in place. It is also expected that future Digital Operational Resilience Act regulation will establish further levels and timeframes of application, depending on the size and/or scope of activity of each eligible firm.
Regardless of future scope and criteria, DORA will require all organizations to implement secure technologies and processes to raise overall supply chain resilience. Cyber risk management strategies and third-party risk management programs in particular need to evolve to address DORA’s five key pillars:
Despite Brexit, DORA will also align with the UK’s Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) requirements. This means that the UK-specific framework will exist in parallel with the guidelines provided by the European Supervisory Authorities (ESAs) – which are the European Banking Authority (EBA), the European Insurance and Occupational Pension Authority (EIOPA), and the European Securities and Markets Authority (ESMA).
Depending on how quickly potential third-party risk management requirements are addressed and agreed on by the EU regulatory body, it is expected that DORA should gain most of its form by the end of 2021. Firms should then have 12 (to possibly 18) months to comply with most of the requirements that will be announced in the first phase of the rollout.
The following subset of compliance standards is expected to give organizations another 1.5 years to get into compliance, including further secondary legislation and technical standards mapping the specific application of the rules being developed by the ESAs. The whole process should be running at full steam by the end of 2024.
This roadmap may seem to give generous time, but organizations and cybersecurity professionals should realize that the DORA timeline is aggressive, and needs to be urgently addressed – and one thing that will help your organization stay on the right track from the very beginning is to take immediate action on assessing your ICT third-party providers by keeping all data registered and up to date.
Bitsight can help your organization find the best path for this journey. With a suite of solutions based on its industry-leading Security Ratings service, Bitsight helps firms identify risk in their digital ecosystems, enabling security teams to prioritize resources to remediate the riskiest issues.
And most importantly: We will be there with you every step of the way. To learn more about how Bitsight can help your organization comply with DORA, please check our Solution Brief, and read the DORA eBook prepared as a comprehensive guide to the upcoming regulatory requirements.
Announced as part of the new Digital Finance Strategy, the Digital Operational Resilience Act (DORA) is being carried out by the European Union (EU) to harmonize Information and Communications Technology (ICT) risk requirements across Europe. Download our ebook to learn more about: